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Critical entities: ensuring coherence of 
non-cyber and cyber resilience 


O N's" 4 Executive summary 


The changing nature of the threat landscape requires better protection and 
more investment in the EU’s resilience capacities to secure our critical 
infrastructure. DIGITALEUROPE welcomes the Commission’s effort to 
strengthen the resilience of critical entities across the EU by developing 
and updating relevant legislation. 


The proposal for a Directive on the resilience of critical entities (RCE Directive)' 
expands both the scope and depth of the 2008 European Critical Infrastructure 
(ECI) Directive.” 


The following elements should be addressed during the legislative process: 


>> Requirements regarding physical non-cyber protection under the 
proposed RCE Directive should be more clearly separated from 
requirements regarding cyber protection under the revised Directive on 
Security of Network and Information Systems (NIS2);° 


>> The RCE Directive should not introduce additional requirements or 
obligations on digital infrastructure, which is already covered exhaustively 
under the NIS2; 


>> Clearer and more transparent supervision practices should be introduced; 
and 


>> Better harmonisation can be achieved between the RCE proposal, the 
NIS2 and the proposed Regulation on digital operational resilience for the 
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? Council Directive 2008/114/EC. 
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financial sector (DORA),* including in terms of regulatory cooperation, 
implementation timelines and reporting thresholds. 


4 COM(2020) 595 final. 
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O N's" 4 Scope 


The RCE Directive is launched in parallel with the NIS2 review. As recognised in 
the proposal,° it is necessary to achieve a coherent approach between the two 
instruments. Overlaps should be avoided between the requirements regarding 
physical non-cyber protection under the proposed RCE Directive and 
requirements regarding cyber protection under the NIS2. 


This distinction should be further clarified in the definition of ‘resilience’ in the 
RCE Directive.® It is unclear whether the current definition points specifically only 
to physical (non-cyber) aspects of resilience or not. Such unclarity may result in 
national authorities imposing overlapping rules that ultimately affect the overall 
resilience of the proposed system, causing counterproductive uncertainty and 
complexity for market players. 


O N's" 4 Specifying the scope 


The RCE Directive states that Member States must, within three years from 
adoption, establish a list of essential services ‘in the sectors referred to in the 
Annex.” This provision does not explain if Member States have a right to pick 
categories of services listed in the Annex or if they are obliged to identify entities 
within each category. As the Directive is focused on critical entities, using terms 
such as essential services can also add to unnecessary confusion. 
DIGITALEUROPE therefore recommends further clarification of these provisions. 


O N's" 4 Legal regime for digital infrastructure 


DIGITALEUROPE understands that the RCE Directive aims to exempt digital 
infrastructure as well as banking and financial market infrastructure from the 
reporting and material obligations foreseen in Chapters III-IV.® 


However, the RCE Directive itself remains vague and there is no clear 
description of what the identification as ‘equivalent to critical entities’ implies. It 
must be ensured that the RCE Directive does not introduce resilience 
requirements or additional reporting obligations on digital infrastructure, which is 
already covered exhaustively under the NIS2. 


5 See Recital 8, COM(2020) 829 final. 
ê See Art. 2(2), ibid. 

7 See Art. 4(1), ibid. 

8 See Art. 7 and Recital 14, ibid. 

° See Art. 7, ibid. 
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O N=" 4 Supervision and enforcement 


Supervision practices should be clear and transparent. 


Under the proposal, national authorities are granted generic powers and means 
to conduct on-site inspections.'° Moreover, are subject to specific oversight 
where Member State authorities report to the European Commission and the 
Critical Entities Resilience Group on their compliance with requirements." 
‘Advisory missions’ for compliance monitoring of entities of particular ‘European 
significance’ are also granted generic access to ‘all information, systems and 
facilities relating to the provision of ... essential services.’'? 


The final text should specify clearer procedural safeguards, including which 
categories of information can be accessed by the authorities and the proposed 
‘advisory missions’ to ensure the Directive provides legal certainty for entities. 


O N=" 4 Harmonisation with other existing legislation 


DIGITALEUROPE welcomes the proposal’s intention to harmonise the RCE 
requirements with existing and future EU legislation such as the NIS2 and the 
proposed DORA Regulation. 


It is important to promote increased coordination among supervisory bodies 
under these legislative proposals. Notably, the RCE Directive sets out a Critical 
Entities Resilience Group that will cooperate with the NIS Cooperation Group. 
We note that the proposal envisages an annual cadence of meetings between 
the two groups, which may be insufficient to achieve meaningful progress in this 
direction.'* We would also recommend that the DORA supervisory authorities be 
also included. 


Since critical infrastructure is largely owned and managed by private entities, 
DIGITALEUROPE recommends more structural involvement of industry in these 
coordination efforts, for both better alignment and as resource for industry- 
specific knowledge. 


Lastly, aligned timetables for the entry into force of the RCE Directive, the NIS2 
and DORA would benefit the overall implementation process. 


10 See Art. 18(1), ibid. 
11 See Art. 15, ibid. 
12 See Art. 15(6), ibid. 
'3 See Art. 16, ibid. 
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O N's" 4 Reporting thresholds 


The RCE Directive, comparable to the NIS2 proposal, calls for notifications of 
incidents having ‘the potential to significantly disrupt operations.’ 


In most cases, such demands will lead to overinforming by the entity to the 
national authority, with massive amounts of data and information burdening their 
internal incident handling processes. 


Sharing general cyber threats or near misses is not useful and would create 
unnecessary burden for organisations that would need to process and try to 
operationalise the information shared. By contrast, periodic updates or threat 
analysis reports from relevant entities, complemented by dialogue to provide 
context, are more relevant and useful. 


FOR MORE INFORMATION, PLEASE CONTACT: 
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14 See Art. 13, ibid. 
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